PGP signatures

Paul Wiener PMMAIL Discussion List <PMMAIL-L@VM.EGE.EDU.TR>
Sun, 25 Apr 1999 23:13:30 -0700


On Mon, 26 Apr 1999 05:18:46 +0300, Cristian Secara wrote:

>I find too big the effort involved.
>
>For me, the single place where encryption may have sense, is at work,
>where:
>a) there may be something important for a given business
>b) there may be something pure personal and I simply don't want other
>people they read my message
>
>In any case, I have first to make a deal with the involved e-mail
>partner (configuring software, exchanging keys). The most difficult
>task is to explain what the hell this encryption is and how does it
>work ! (have you ever tried to explain this to a young lady, whose
>almost all knowledge about computers is double-click MS Word -> open
>file -> [write text] -> save as ... -> print ?)

I've had to explain PGP so often that I've written a "canned" article about
it that I can just plug in whenever anybody enquires. I'd offer it to you to
use as well, but it's now a little outdated.

>If it happens to receive an encrypted message from an unknown or vague
>known sender, whose public key - if it happens to be PGP - I didn't
>have, if there is no evidence of the importance of the message, it is
>most likely that that message will be deleted.
>
>Remember, PGP is not the single encryption system available. It's free
>for non-commercial users only. If a company have to pay for using
>encryption software, how can I know they purchase PGP and not Verisign
>?
>I want to say that before sending encrypted e-mail, *both* parts
>involved (sender and receiver) have to agree if and what encryption
>method they will use.

Here's what I think you're overlooking. Suppose I signed all my messages with
PGP or some other established sender-validation and messages-integrity
assurance system. Perhaps you'd receive some of these message--say though a
mailing list like this one. Because of the subject matter and venue in which
these messages were being presented, you might feel security is not an issue
in which case you could simply ignore the signatures. If at some time,
though, I should try to disavow something that was said in one of my
messages, or what appeared to be one of my messages, you could then acquire
the pertinent privacy package, be it PGP, Verisign, some variation of
Blowfish, or whatever, and could then definitively determine whether I was
lying or if the disputed message had indeed been forged or altered.

--
___________
Paul Wiener

paulish@paulish.com
got_the_T-shirt@been-there.com
paulish@cyberjunkie.com
paulish@planetarymotion.net
paulish@thepentagon.com
paulish@usa.net
tinea-pedis@bigfoot.com
KJ6AV@callsign.net
pw@i.am
--------------------------------------------------------